Massive flaw could have exposed every Gmail user’s address

A gaping security bug in Google’s systems may have been used to unearth millions upon millions of users’ email addresses. The activist claimed it took Google a month to rectify the problem after his report to the company.

Tel Aviv-based security researcher Oren Hafif discovered the bug
and has informed Google, which has managed to resolve the
problem.

However, before Hafif notified Google, he successfully retrieved
some 37,000 addresses from the system.
“I have every reason to believe every Gmail address could have
been mined,” Hafif told Wired.

He uploaded a video tutorial to his YouTube account at the
beginning of June.

Hafif accessed a page declaring that his access had been denied
towards the end of last year. After changing a single character
in the website’s URL, the Gmail page said that he’d been denied
access to a different address.

He automated character changes using software called DirBuster.
“I could have done this potentially endlessly,” said
Hafif.

While passwords weren’t provided, the bug may have left accounts
wide open to spam, phishing and password hacking attempts.

Google rewarded Hafif with $500 – which some commentators deemed
to be very low considering the work he did.

“Being a good person is not very profitable these days :)
,” Hafif posted on Twitter on Thursday.

A Google spokesperson confirmed to Wired that the company had
repaired the bug and awarded him some financial compensation.
However, Google did not respond to any further requests for
comment.